Pfsense for 2 Gbps bandwidth
-
I want use pfsense as Firewall UTM in the data center with 2 Gbps bandwidth.
These Services also must be enabled:
1. Network Security ( Firewall, NAT, IPS/IDS)
2. Web Security ( Web Filtering, Application Control)
3. Interfaces & Routing ( Bridging, QOS, ToS, Routing, VLan)
4. Monitoring & Logging & AlarmingI want to know that pfsense can handle this throughput ?
What hardware is required? -
You can get those speeds on an i7 processor with something around 16-32GB to start with because you talk about IDS. It all depends on how many users you are looking to put on it.
Not sure about QoS over VLAN, I think that was a work in progress.
-
I want use pfsense as Firewall UTM in the data center with 2 Gbps bandwidth.
These Services also must be enabled:
1. Network Security ( Firewall, NAT, IPS/IDS)I am somewhat skeptical that 2Gbps IPS/IDS (in the case of pfSense it would mean 2Gbps Snort) will be possible with pfsense.
The rest, i.e. firewall, NAT, routing, VLAN, traffic shaping (QoS) and monitoring are doable.
2. Web Security ( Web Filtering, Application Control)
If by "application control" you mean features similar to those provided by the so-called NGF ("New Generation Firewall"), it's not currently possible.
Hardware would need to be a beefy Intel box, preferrably with igb NICs.
PS: If this is your first contact with pfSense and this box is going to be put in production, your best option would be to contact BSDPerimeter via the commercial support option https://portal.pfsense.org/index.php/support-subscription
-
in your opinion, after install pfsense on the HP Proliant DL 580 G5 with 4* 2.4 GHz Intel Xeon CPU E7440 and 32 Gb RAM and 2 NIC 10Gb 2-port Server Adapter what throughput can handle with the options above are enabled ?
-
Massive Overkill, pFsense won't take advantage of all that cores.
-
I know freeBSD and Linux both are OS that can give me all of the option due to my hardware configuration.
are you sure about your words ?
what is your advise to acheive maximum throughput (up to 10 Gb bandwith ) by pfsense only for this services:Network Security ( Firewall rules, Port Security, Traffic Shaper, NAT, IPS/IDS)
Interfaces & Routing ( Bridging, QoS, ToS, Routing, VLan)dont have any vpn ppp and AAA services.
-
I don't have experience in such scenario, you SHOULD contact pFsense support for advice.
-
Does anyone else has idea ?
-
The maximum throughput you will likely be able to achieve is ~4Gbps. That is just firewall and NAT. Adding extra services like you are asking for will slow things down. This is limited by the pf process which is single threaded and the fastest single thread CPU available.
Thus to build the fastest box choose a CPU from the top of this list: http://www.cpubenchmark.net/singleThread.html.
When you get up to these numbers though other factors start to come into play.
This is not from personal experience though. With such a high end machine the only people who will be able to give you an accurate answer are bsdperimeter.Steve
-
The maximum throughput you will likely be able to achieve is ~4Gbps. That is just firewall and NAT. Adding extra services like you are asking for will slow things down. This is limited by the pf process which is single threaded and the fastest single thread CPU available.
Thus to build the fastest box choose a CPU from the top of this list: http://www.cpubenchmark.net/singleThread.html.
When you get up to these numbers though other factors start to come into play.
This is not from personal experience though. With such a high end machine the only people who will be able to give you an accurate answer are bsdperimeter.Steve
So you're saying pf maxes out around 4Gbps? Is that per-interface or system wide?
I feel like there will be a major issue as 10GbE gets more and more prevalent if it's really 4gbps… :-\
-
That would be a system wide figure since there is a single process required for filtering. Probably best not to quote me on that though! ;)
There is work underway on a multithread version of pf which should remove that bottle-neck. See: http://forum.pfsense.org/index.php/topic,50812.0.htmlOf course the ~4Gbps figure is limited by the fastest single thread CPU available and they keep getting faster so it's probably more than that by now. I believe I read that some time ago.
Steve
-
an i3 is easily able to do 1 Gbps with IDS. Yes I have tested it and hence saying it does. Go for an i7 or Xeon with good amount of RAM and you should be all set for 4 Gbps. Ensure you have the supported network cards to achieve this. I highly advise a dedicated box for your setup for your kind of WAN speeds. With the present firewall apps nobody is able to use 100% of present high end CPU power 24x7 (I am not talking about Atoms processors.. only i3/i5/i7 and Xeon)
My current scenario is all on VMware. I initially started with an i5 dedicated box for my network. Was an overkill so I switched to an i3 and even that was an overkill for 22 users. Yes I had Squid, Snort, Dans all loaded and working beautifully. So I decided to take advantage of VMware and switched to ESXi. After loading 5 VMs I noticed heavy lag on the VMs as i3 lacks physical cores as compared to i5, so decided to bump it back to i5. Haven't looked back since.
My present i5 (second generation) VMware ESXi server has 5 VMs and pfSense is one of them. It is easily able to balance the load and give me 500Mbps without a hiccup. I tested the WAN speed on my internal network for a good whole weekend with continuous 4GB chunks of dummy data. Processor usage went high to about 40% as it juggled between all the 5VMs and the heavy data transfer load. At one point it was doing 590Mbps (all depends on how VMware can spare the cycles for which task). Other VMs were 2 domain controllers, 1 Exchange server and 1 Asterisk box.
This speed can come down depending on the number of users the pfSense box will service. You wont notice much difference with 5 to 10 users or even 20 users if the other VMs are not doing much processing.
-
Yeah, I only ask because I have 10Gig capable pfSense units, but I don't have a 10Gig switch or servers to really test it.
I hope one day we can do 10Gig routing and fully utilize the i3/i5/i7s and their Xeon variants.